Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SFTP transfer produces too many audit events #21518

Closed
Tracked by #22933
jakule opened this issue Feb 9, 2023 · 1 comment · Fixed by #23786
Closed
Tracked by #22933

SFTP transfer produces too many audit events #21518

jakule opened this issue Feb 9, 2023 · 1 comment · Fixed by #23786
Assignees
@capnspacehook
Labels
bug scp sftp Issues related to Teleport's SFTP implementation

Comments

@jakule
Copy link
Contributor

jakule commented Feb 9, 2023

While transfering files over SFTP many audit events is produced for read/write action, example:

2023-02-08T21:04:07-05:00 INFO [AUDIT]     sftp action:3 addr.local:[::1]:3022 addr.remote:[::1]:64584 cluster_name:example.com code:TS003I ei:0 event:sftp login:jnyckowski namespace:default path:/Users/jnyckowski/teleport/teleport-v12.0.0-dev-linux-amd64-bin.tar.gz server_hostname:example.com server_id:854e9299-c604-4af8-baa9-2580c4337a84 sid: time:2023-02-09T02:04:06.217591Z uid:21bdb751-9936-4b17-b37d-fd23a4c09a23 user:bob working_directory:/Users/jnyckowski events/emitter.go:265
2023-02-08T21:04:07-05:00 INFO [AUDIT]     sftp action:3 addr.local:[::1]:3022 addr.remote:[::1]:64584 cluster_name:example.com code:TS003I ei:0 event:sftp login:jnyckowski namespace:default path:/Users/jnyckowski/teleport/teleport-v12.0.0-dev-linux-amd64-bin.tar.gz server_hostname:example.com server_id:854e9299-c604-4af8-baa9-2580c4337a84 sid: time:2023-02-09T02:04:06.217591Z uid:21bdb751-9936-4b17-b37d-fd23a4c09a23 user:bob working_directory:/Users/jnyckowski events/emitter.go:265
{"ei":0,"event":"sftp","uid":"21bdb751-9936-4b17-b37d-fd23a4c09a23","code":"TS003I","time":"2023-02-09T02:04:06.217591Z","cluster_name":"example.com","user":"bob","login":"jnyckowski","addr.local":"[::1]:3022","addr.remote":"[::1]:64584","sid":"","namespace":"default","server_id":"854e9299-c604-4af8-baa9-2580c4337a84","server_hostname":"example.com","working_directory":"/Users/jnyckowski","path":"/Users/jnyckowski/teleport/teleport-v12.0.0-dev-linux-amd64-bin.tar.gz","action":3}
2023-02-08T21:04:07-05:00 INFO [AUDIT]     sftp action:3 addr.local:[::1]:3022 addr.remote:[::1]:64584 cluster_name:example.com code:TS003I ei:0 event:sftp login:jnyckowski namespace:default path:/Users/jnyckowski/teleport/teleport-v12.0.0-dev-linux-amd64-bin.tar.gz server_hostname:example.com server_id:854e9299-c604-4af8-baa9-2580c4337a84 sid: time:2023-02-09T02:04:06.217912Z uid:18321906-e9e4-4cd9-a4b8-1ee077b64233 user:bob working_directory:/Users/jnyckowski events/emitter.go:265
2023-02-08T21:04:07-05:00 INFO [AUDIT]     sftp action:3 addr.local:[::1]:3022 addr.remote:[::1]:64584 cluster_name:example.com code:TS003I ei:0 event:sftp login:jnyckowski namespace:default path:/Users/jnyckowski/teleport/teleport-v12.0.0-dev-linux-amd64-bin.tar.gz server_hostname:example.com server_id:854e9299-c604-4af8-baa9-2580c4337a84 sid: time:2023-02-09T02:04:06.217912Z uid:18321906-e9e4-4cd9-a4b8-1ee077b64233 user:bob working_directory:/Users/jnyckowski events/emitter.go:265
{"ei":0,"event":"sftp","uid":"18321906-e9e4-4cd9-a4b8-1ee077b64233","code":"TS003I","time":"2023-02-09T02:04:06.217912Z","cluster_name":"example.com","user":"bob","login":"jnyckowski","addr.local":"[::1]:3022","addr.remote":"[::1]:64584","sid":"","namespace":"default","server_id":"854e9299-c604-4af8-baa9-2580c4337a84","server_hostname":"example.com","working_directory":"/Users/jnyckowski","path":"/Users/jnyckowski/teleport/teleport-v12.0.0-dev-linux-amd64-bin.tar.gz","action":3}
2023-02-08T21:04:07-05:00 INFO [AUDIT]     sftp action:3 addr.local:[::1]:3022 addr.remote:[::1]:64584 cluster_name:example.com code:TS003I ei:0 event:sftp login:jnyckowski namespace:default path:/Users/jnyckowski/teleport/teleport-v12.0.0-dev-linux-amd64-bin.tar.gz server_hostname:example.com server_id:854e9299-c604-4af8-baa9-2580c4337a84 sid: time:2023-02-09T02:04:06.218102Z uid:9136fffb-ac55-4dd3-a274-62f4b8cb6cb5 user:bob working_directory:/Users/jnyckowski events/emitter.go:265
2023-02-08T21:04:07-05:00 INFO [AUDIT]     sftp action:3 addr.local:[::1]:3022 addr.remote:[::1]:64584 cluster_name:example.com code:TS003I ei:0 event:sftp login:jnyckowski namespace:default path:/Users/jnyckowski/teleport/teleport-v12.0.0-dev-linux-amd64-bin.tar.gz server_hostname:example.com server_id:854e9299-c604-4af8-baa9-2580c4337a84 sid: time:2023-02-09T02:04:06.218102Z uid:9136fffb-ac55-4dd3-a274-62f4b8cb6cb5 user:bob working_directory:/Users/jnyckowski events/emitter.go:265
{"ei":0,"event":"sftp","uid":"9136fffb-ac55-4dd3-a274-62f4b8cb6cb5","code":"TS003I","time":"2023-02-09T02:04:06.218102Z","cluster_name":"example.com","user":"bob","login":"jnyckowski","addr.local":"[::1]:3022","addr.remote":"[::1]:64584","sid":"","namespace":"default","server_id":"854e9299-c604-4af8-baa9-2580c4337a84","server_hostname":"example.com","working_directory":"/Users/jnyckowski","path":"/Users/jnyckowski/teleport/teleport-v12.0.0-dev-linux-amd64-bin.tar.gz","action":3}
2023-02-08T21:04:07-05:00 INFO [AUDIT]     sftp action:3 addr.local:[::1]:3022 addr.remote:[::1]:64584 cluster_name:example.com code:TS003I ei:0 event:sftp login:jnyckowski namespace:default path:/Users/jnyckowski/teleport/teleport-v12.0.0-dev-linux-amd64-bin.tar.gz server_hostname:example.com server_id:854e9299-c604-4af8-baa9-2580c4337a84 sid: time:2023-02-09T02:04:06.219097Z uid:9207ec4c-c553-439c-8571-6efda3f03ffd user:bob working_directory:/Users/jnyckowski events/emitter.go:265
2023-02-08T21:04:07-05:00 INFO [AUDIT]     sftp action:3 addr.local:[::1]:3022 addr.remote:[::1]:64584 cluster_name:example.com code:TS003I ei:0 event:sftp login:jnyckowski namespace:default path:/Users/jnyckowski/teleport/teleport-v12.0.0-dev-linux-amd64-bin.tar.gz server_hostname:example.com server_id:854e9299-c604-4af8-baa9-2580c4337a84 sid: time:2023-02-09T02:04:06.219097Z uid:9207ec4c-c553-439c-8571-6efda3f03ffd user:bob working_directory:/Users/jnyckowski events/emitter.go:265
{"ei":0,"event":"sftp","uid":"9207ec4c-c553-439c-8571-6efda3f03ffd","code":"TS003I","time":"2023-02-09T02:04:06.219097Z","cluster_name":"example.com","user":"bob","login":"jnyckowski","addr.local":"[::1]:3022","addr.remote":"[::1]:64584","sid":"","namespace":"default","server_id":"854e9299-c604-4af8-baa9-2580c4337a84","server_hostname":"example.com","working_directory":"/Users/jnyckowski","path":"/Users/jnyckowski/teleport/teleport-v12.0.0-dev-linux-amd64-bin.tar.gz","action":3}
2023-02-08T21:04:07-05:00 INFO [AUDIT]     sftp action:3 addr.local:[::1]:3022 addr.remote:[::1]:64584 cluster_name:example.com code:TS003I ei:0 event:sftp login:jnyckowski namespace:default path:/Users/jnyckowski/teleport/teleport-v12.0.0-dev-linux-amd64-bin.tar.gz server_hostname:example.com server_id:854e9299-c604-4af8-baa9-2580c4337a84 sid: time:2023-02-09T02:04:06.219216Z uid:2fbc0a71-021d-4e62-8fdf-2a3906e200ff user:bob working_directory:/Users/jnyckowski events/emitter.go:265
2023-02-08T21:04:07-05:00 INFO [AUDIT]     sftp action:3 addr.local:[::1]:3022 addr.remote:[::1]:64584 cluster_name:example.com code:TS003I ei:0 event:sftp login:jnyckowski namespace:default path:/Users/jnyckowski/teleport/teleport-v12.0.0-dev-linux-amd64-bin.tar.gz server_hostname:example.com server_id:854e9299-c604-4af8-baa9-2580c4337a84 sid: time:2023-02-09T02:04:06.219216Z uid:2fbc0a71-021d-4e62-8fdf-2a3906e200ff user:bob working_directory:/Users/jnyckowski events/emitter.go:265
{"ei":0,"event":"sftp","uid":"2fbc0a71-021d-4e62-8fdf-2a3906e200ff","code":"TS003I","time":"2023-02-09T02:04:06.219216Z","cluster_name":"example.com","user":"bob","login":"jnyckowski","addr.local":"[::1]:3022","addr.remote":"[::1]:64584","sid":"","namespace":"default","server_id":"854e9299-c604-4af8-baa9-2580c4337a84","server_hostname":"example.com","working_directory":"/Users/jnyckowski","path":"/Users/jnyckowski/teleport/teleport-v12.0.0-dev-linux-amd64-bin.tar.gz","action":3}

Bug details:

  • Teleport version 10.3+
  • Recreation steps: Copy a file over SFTP
  • Debug logs
@jakule jakule added bug scp sftp Issues related to Teleport's SFTP implementation labels Feb 9, 2023
@eriksw
Copy link

eriksw commented Feb 9, 2023

I'm affected by this too. The audit log in my teleport cloud cluster is flooded with over 2000 events from somebody copying a file two times. This has made the audit log totally unusable—when I select "Today" I can't see anything older than an hour ago!

@jakule jakule mentioned this issue Mar 10, 2023
Closed
@r0mant r0mant added the P0 label Mar 13, 2023
@capnspacehook capnspacehook mentioned this issue Mar 29, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@capnspacehook capnspacehook

Labels
bug scp sftp Issues related to Teleport's SFTP implementation
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

refactor SFTP backend to use upstream dep, not our fork gravitational/teleport
4 participants
@r0mant @jakule @capnspacehook @eriksw